Pier Fumagalli wrote:
I found this on the Jetty list, and thought it was relevant as in the
examples we tend to encode the continuation ID into the URL...
This is f***ing scary!!!
Wow, this will kill either kill urlencoding or IE. Seems like good news
for firefox, though.
Pier
Begin forwarded message:
From: "Chris Haynes" <[EMAIL PROTECTED]>
Date: 28 September 2005 13:04:53 BDT
To: "Jetty Discuss" <[EMAIL PROTECTED]>
Subject: [jetty-discuss] Microsoft IE7 compromise of session security
Reply-To: [EMAIL PROTECTED]
List-Id: Discussion for Jetty development.
<jetty-discuss.lists.sourceforge.net>
Everyone concerned with data security and privacy should read the
Microsoft developer Blog describing their IE7 anti-phishing feature:
http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx
With this browser feature enabled, Microsoft sends a copy of the URL +
path of every accessed page back to their HQ - even if you have
HTTPS/SSL/TLS enabled!
Note the posts I have added to the blog on and since 26 Sept, and the
Microsoft response confirming the compromise of HTTPS.
It is possible that beta browsers with this feature are already
available in the wild.
There is one particular aspect that Servlet developers / security
managers should be aware of...
If using URL-rewriting for session management, Microsoft will be sent
a copy of the Session ID while that session is still open (whether or
not TLS is involved) , as this sessionID is contained within the path.
There is nothing technical preventing, say, a Microsoft employee or
contractor from joining that session.
Jetty might need to add a site-selectable option which detects the
IE7 agent and throws an Exception if URL-rewriting is invoked - to
prevent session IDs being sent to a compromised browser. Views, anyone?
The other security / privacy concerns with this feature are of a
broader nature, and probably OT for this list.
Chris Haynes
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
jetty-discuss mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
--
Stefano.